First published: Wed Sep 02 2015(Updated: )
A flaw was found in IPython's notebook handling: Local folder name was used in HTML templates without escaping, allowing XSS in said pages by carefully crafting folder name and URL to access it. Original report: <a href="http://seclists.org/oss-sec/2015/q3/474">http://seclists.org/oss-sec/2015/q3/474</a> Upstream Patches: 3.x: <a href="https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892">https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892</a> 4.0.x: <a href="https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3">https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3</a> 4.x: <a href="https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed">https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Jupyter Notebook | =4.0.0 | |
Jupyter Notebook | =4.0.1 | |
Jupyter Notebook | =4.0.2 | |
Jupyter Notebook | =4.0.3 | |
Jupyter Notebook | =4.0.4 | |
Fedoraproject Fedora | =21 | |
Fedoraproject Fedora | =22 | |
Fedoraproject Fedora | =23 | |
openSUSE openSUSE | =13.1 | |
openSUSE openSUSE | =13.2 | |
IPython Notebook | <=3.2.1 | |
redhat/ipython | <4.0.5 | 4.0.5 |
redhat/ipython | <4.1 | 4.1 |
redhat/ipython | <3.2.2 | 3.2.2 |
pip/ipython | <=3.2.1 | 3.2.2 |
pip/notebook | >=4.0.0<=4.0.4 | 4.0.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.